Most organisations leverage technology to allow them to remain digitally integrated with their customers, third party service providers and business partners. With the varying levels of maturity around information security across organisations, third party or ‘ecosystem generated’ attacks are seen as an easier way to gain access to the ultimate targets, being the larger corporations.
‘Third Party Cyber Attacks’ are fast becoming one of the most prominent threats to businesses in Australia. This style of attack often leverages vulnerabilities in our ecosystem and outsourced service providers’ environments, rather than our own. This is because of the change in the trust dynamic, where our service providers usually hold a higher degree of elevated system access to be able to integrate and do business with us more easily. With these elevated privileges, a compromise can potentially have a broader impact than just to the system of the service providers and can extend easily into other connected environments like our own.
From Symantec’s 2018 threat report, the number of supply chain attacks in 2018 has been estimated to be 78% higher than that of the previous year, and growing.
There have been a number of high profile data breaches as a result of these types of cyber-attacks. Most notably the attack against retail giant Target in 2013, which saw 60 million customers affected when Target’s network was compromised using stolen login credentials. These stolen network credentials were then subsequently used to plant malware and steal data from 40 million credit cards residing on Target’s Point of Sale (POS) systems. More recently, in early 2019 Taiwan-based computer manufacturer ASUS was subject to an Advance Persistent Threat (APT) in which Cybersecurity and Anti-virus provider Kaspersky Labs identified and disclosed that threat actors had compromised the ASUS Live Update Utility, thus causing up to an estimated 500,000 users to download the malicious software on their ASUS machines.
Neither Target, nor ASUS were the initial compromise targets in those scenarios.
To better manage potential risks from third party cyber-attacks, organisations can adopt the following tactical and strategic approaches that will assist in managing risks and establishing a security baseline between service providers and organisations.
Attackers will often target and look to exploit ‘weak’ points within an outsourced third party to gain access to the wider organisation’s eco-system.
E.g. Target 2013
Compromised third party infrastructure
In the world of technology, if you do not have trust in a website, a person or an email, the chance of you actually downloading or clicking something associated with these untrusted sources is unlikely. Attackers can leverage a company’s trust and ability to directly provide a service or product to consumers, allowing the potential for a third party cyber-attack.
E.g. ASUS 2019
|Understand contractual obligations
Businesses should always be required to show one another evidence of good security controls. As such, building these into contractual agreements can ensure suppliers are improving their security footprint within their own environment. This could be a matter of suppliers demonstrating the effectiveness of their controls through metrics such as time to detect threats and time to resolve them.
Up-to-date security policies and standards
Conduct third party vendor risk assessments
Identify data owners and custodians
Test incident response plans